WannaCry Ransomware: How To Protect Your Organization

on 23 May 2017,

Technology… is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other.[1]

The Facts:

An International cyber-attack known as WannaCry Ransomware occurred on Friday, the 12th of May. It paralyzed multiple sectors and impacted 100,000 organizations over 150 countries all around the world. Among the sectors and countries impacted are: the healthcare sectors – the computer system of the NHS (National Health Service) in England; the telecommunication sector in Spain through the company Telefónica; the railways in Germany; the automaker Renault in France; the interior ministry of Russia and some computer systems in Thailand.

This demonstrates a tendency for world scale attacks targeting multiple industries. It is unlike previous ransomware attacks, for instance, the 2013 CryptoLocker and CryptoWall mainly threatened the law enforcement agencies[2] or later the CTB-Locker that had emerged in 2014 and became one of the top malware threats for the financial services industry.[3]

The attack by WannaCry Ransomware represents the first threat to all kind of industries and more likely it will not be the last attack of this kind. Therefore, all sectors should prioritize their cybersecurity and update their IT systems in order to reduce the risk of falling into a similar dead-end trap.

What is WannaCry Ransomware?

The cyber-attack happened due to a malware called “WannaCry Ransomware” also known as “WanaCrypt0r 2.0”. This malware belongs to the family of ransomware high-tech crimes type. A malware is a software that is specifically designed to disrupt, damage, or gain access to a computer system without the knowledge of its owner. In this particular case, the ransomware stops users from accessing their devices and demands that they pay a ransom through a certain online payment method to regain access to their files. The online payment method preferred for this kind of attacks is called bitcoins cryptocurrency, the first decentralized digital currency. The ransom demand to return the access to an infected computer usually varies from 300$ to 600$.

The WannaCry cyber-attack illustrates many of the features and challenges of modern cybercrimes listed in the “Principles of Cybercrime” from Jonathan Clough[4]. Indeed, the attack was: “organized, financially motived, technologically sophisticated and transnational”. The attack was sophisticated because it spreads phishing emails from the contacts located in an infected computer or uses EternalBlue exploit and DoublePulsar backdoor. While the former is an attempt to obtain sensitive information often for malicious reasons by disguising as a trustworthy entity in an electronic communication; the latter exploit a vulnerability existing in a server implemented by Microsoft Windows that may not have been rectified with a security patch although a standard Window security update had been providing it.

Nowadays, the convenience of electronic banking and online transactions provide a fertile ground for fraud[5]. And yet, most of the national and international organizations still commit the mistake of processing their sensitive data on the “legacy system”[6], which invariably puts them in a position of vulnerability.

Why could the WannaCry spread rapidly?

According to the newspaper “Le Monde” [7]: “WanaCrypt0r 2.0 relies on a Microsoft Windows security vulnerability that has only recently been revealed. It was one of a series of piracy tools belonging to the American NSA that were revealed in early 2017 by a mysterious group calling itself ‘The Shadowbrokers’. The software seems to have mainly affected machines using old versions of Windows – users of Windows 10 are immune, according to Microsoft.” The attackers focused on networks that had not installed recent security updates to directly infect any exposed systems.

How to prevent the WannaCry Ransomware or future malware from happening?

Two answers can be provided. The first answer will focus on an international point of view: in order to respond by juridical measure as much as possible in a harmonious way against the world scale’s attack. And the second answer responds to the question: how to prevent Ransomware from infecting your electronic devices?

An international answer:

Given the transnational aspect of the attack, it is vital that a harmonization among countries can be reached. It is crucial that governments, industries, and law agencies cooperate by exchanging information in order to facilitate the criminal investigation and the arrest of the perpetrators. However, a true consensus is unachievable due to the protection of each country of their own rights and the imposition of their own standards under their domestic criminal law[8]. Therefore, only a broad consensus can emerge. The Convention on Cybercrime of the Council of Europe, known as the “Budapest Convention” is the first binding multinational instrument to address issues of Cybercrimes[9].

The treaty states that: “The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception. Its main objective, set out in the preamble, is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.”[10]

How to prevent Ransomware from infecting your electronic devices?

The malware can propagate in two ways: when a user opens a corrupted attachment (Word or PDF document) but also via the local network: WanaCrypt0r 2.0 is a complex software that “scans” the infrastructure network from machines on which it is installed, and then it spreads to all nearby machines[11].

In order to protect your electronic devices against WannaCry attacks, the following advice may be valuable: for instance, having clean backups in a secure storage system in order to recover data otherwise hidden behind ransomware or/ and to have the lasted security patches installed and a comprehensive security software running on your computer and servers. Also, consider updating your software regularly as many malware infections are the result of criminal exploiting bugs in software. Use anti-virus software and browse and download software only from trusted websites. Finally, regularly back up the data stored on your computer. If you are a victim of ransomware, report it immediately to your local police and the payment processor involved. [12]

In Thailand, the High-Tech Crime Unit IT suppression division of the Royal Thai Police oversees the fight against technology-related crimes.

According to the ICC Cyber Security Guide for Business[13], a couple of key security principles must be followed in order to achieve a full protection of your computer system. As a first key security principle, the company must implement a “healthy ecosystem” within its organization. It means that the cyber security must go beyond the IT department and that the stakeholders should be involved in identifying the problem. A periodic assessment of the company resilience to cyber threats and vulnerabilities is essential to measure progress towards risk management goals and adequacy of cyber security activities[14]. The second principle is to install an “organizational respond plan” in order to help business managers understand when to engage specialized third parties to help contain and remedy a security incident, and when it is appropriate to contact other external parties.[15]The the third action is to invest in training. All personnel having access to important information and information systems understand their daily responsibilities to handle, protect and support the company information security activities.

What should you not do?

You should never click on attachments, banners, and links without knowing their true origin. Furthermore, do not install mobile apps from unknown providers or sources. If a website warns you about obsolete software, drivers or codes installed in your data, do not fully trust it. It is really easy for criminals to fake company and software logos. A quick web search can tell you if your software is really out of date. And last but not least, and probably the most important advice is to avoid paying out any money. Indeed, paying does not guarantee that your problem will be solved and that you will be able to access your files again. In addition, you will be supporting the cybercriminal’s business and the financing of their illegal activities.[16]